Skip to content

HSE inspections up 47% - HSE carried out over 13,200 workplace inspections in 2024/25.

Blog/HEALTH & SAFETY

Health and Safety for AI and Software Companies: What the Tech Sector Must Address

A
Arinite Health & Safety Consultants
June 11, 2026
23 min read
Health and Safety for AI and Software Companies: What the Tech Sector Must Address

AI and software companies face a persistent misconception about their health and safety obligations. Because their people work at desks rather than on construction sites, and their products are digital rather than physical, the assumption can take hold that health and safety is a light regulatory burden — something addressed by a brief document and a cursory walkthrough of the office. That assumption is wrong, and increasingly costly. The Health and Safety at Work Act 1974 applies to every UK employer regardless of sector. The Management of Health and Safety at Work Regulations 1999 require systematic risk assessment and competent person appointment from the first employee. In 2024/25, work-related stress, depression, and anxiety affected 964,000 UK workers — 52% of all work-related ill health — with technology and professional services sectors significantly over-represented. DSE injuries, burnout, always-on culture, cybersecurity team mental health, and rapid international expansion each create compliance obligations that AI and software businesses must manage systematically. This guide covers the 12 health and safety priorities every tech company needs to address.

Why AI and Software Companies Need Systematic Health and Safety Management

The technology sector operates under three specific pressures that make health and safety management simultaneously more necessary and more frequently neglected than in traditional industries.

The "we're not a factory" misconception: Software and AI businesses often perceive health and safety as primarily relevant to high-hazard physical industries. In reality, the sector's specific risk profile — concentrated in psychosocial harm, musculoskeletal disorders from sustained screen work, and the compliance complexity of rapid international expansion — creates live and material health and safety obligations that must be managed systematically.

The pace of growth: Many AI and software companies scale from 5 to 500 employees in 18 months, open offices across three continents within two years, and shift from in-office to hybrid-remote and back again. Each change triggers new health and safety obligations that fast-moving organisations frequently do not notice until a regulator or incident makes them visible.

The talent dimension: The technology sector is one of the UK's most competitive talent markets. Burnout, inadequate mental health support, and poor remote working conditions directly damage recruitment, retention, and performance — making health and safety management a commercial imperative alongside its legal dimension. Burnout affects 84% of cybersecurity professionals globally, and survey data consistently shows that technology workers rank working environment and employer care for wellbeing among the top factors in employment decisions.

Health and Safety Consultants with technology sector expertise understand both the specific obligations and the commercial context — producing compliance programmes that protect people and support the business simultaneously.

1. DSE and Home Working: The Most Widespread Tech Sector Obligation

Display screen equipment compliance is the single most widely applicable and most commonly incomplete health and safety obligation in AI and software companies. Virtually every employee in a software or AI business is a habitual screen user — and every one of them triggers specific legal obligations under the Health and Safety (Display Screen Equipment) Regulations 1992.

What the DSE Regulations require:

Every employer must carry out a workstation assessment for each habitual screen user, ensure that identified risks are reduced to the lowest reasonably practicable level, ensure that screens and workstations meet minimum requirements, plan work activities so that screen work is periodically interrupted, and provide eye and eyesight tests on request.

In 2025, the HSE confirmed that DSE obligations extend explicitly to all home and hybrid workers — wherever they habitually use screens. This confirmation eliminates any residual ambiguity about whether remote workers are covered: they are, completely, regardless of whether the employer provided their home workstation equipment.

Why tech companies typically fail this obligation:

The most common failure pattern in AI and software companies is straightforward: the company has a DSE policy and has assessed workstations in the office, but has never assessed home workstations for the 60-80% of employees working in hybrid arrangements. When an HSE inspector or civil litigation process examines DSE compliance, the gap between the documented obligation and the incomplete assessment coverage is immediately apparent.

Research indicates approximately 50% of hybrid workers have not received adequate DSE assessment — one of the widest compliance gaps across all UK workplace health and safety obligations.

What full DSE compliance looks like for a tech company:

  • Workstation assessments completed for every habitual screen user at every location they habitually work — office, home, and co-working space
  • A process for assessing new starters before or on their first day
  • A mechanism for employees to request reassessment when their working arrangements or equipment changes
  • Equipment provision where assessments identify deficiencies — the employer's obligation, not the employee's
  • Training so that employees understand how to adjust their workstation correctly
  • Eye test provision on request

Health and Safety Consultants and Software solutions manage DSE assessment programmes for distributed technology workforces — tracking assessment currency, generating alerts for overdue reviews, and providing management dashboards showing compliance rates across all locations.

2. Psychosocial Risk and Burnout: The Priority Health and Safety Issue in Tech

Work-related stress, depression, and anxiety is the leading cause of work-related ill health in the UK — and the technology sector carries a specific and well-documented exposure to psychosocial risks that the general statistics understate.

The technology sector's specific psychosocial risk profile:

Performance and delivery pressure: Agile sprint cycles, product roadmap deadlines, investor milestones, and on-call incident response create sustained performance pressure that, when combined with inadequate management support, generates clinically significant stress.

Always-on culture: Messaging platforms that blur the boundary between working hours and personal time, the expectation of rapid response to notifications regardless of the hour, and the normalisation of working outside contracted hours in many tech cultures create the kind of chronic overwork that produces burnout.

AI-specific anxieties: A 2024 survey found that 59% of workers identified digital distraction as a contributory factor in workplace stress, rising to 71% among managers. For employees working on or alongside AI systems, concerns about job security, purposelessness, and the pace of change create specific psychosocial risk factors that general stress assessments may not capture.

What UK law requires:

Under the Management of Health and Safety at Work Regulations 1999, employers must assess all significant risks including psychosocial ones. The HSE Management Standards framework — covering Demands, Control, Support, Relationships, Role, and Change — provides the required methodology for stress risk assessment and is the standard against which HSE inspectors assess compliance.

A stress risk assessment using the Management Standards is not an employee wellbeing survey. It is a formal assessment of workplace design factors against defined performance standards — a compliance document, not a sentiment exercise.

The right to switch off:

The Employment Rights Act 2025 introduced provisions relating to the right to disconnect, building on the Government's commitment to give workers the ability to disengage from work outside working hours. For AI and software companies where always-on communication culture is entrenched, this creates a compliance obligation that requires formal working time and communication boundary policies.

3. Cybersecurity Team Health and Safety: A Specialist Obligation

Cybersecurity professionals within AI and software companies carry one of the most acutely stressed roles in the entire workforce — and their health and safety risk requires specific assessment and targeted management.

The scale of the problem:

Burnout affects the vast majority of cybersecurity professionals globally. The root causes are well documented: 24/7 on-call rotations with night and weekend callouts, the psychological burden of being responsible for preventing attacks that may occur at any time, alert fatigue from high-volume monitoring tools, the emotional weight of incident response, and the sustained under-resourcing that characterises many security teams relative to their actual workload.

What this means for health and safety obligations:

The HSE Management Standards framework requires assessment of the Demands factor — whether workload, pace, and working hours are manageable. For cybersecurity teams, a generic stress assessment that applies the same standards as for a product management function will miss the specific demand profile of security operations.

Specific considerations for cybersecurity team health and safety assessment include: - On-call rota design: frequency, minimum rest periods between shifts, and maximum on-call days per rolling period - Alert management: systems and processes for managing alert volume to prevent fatigue-induced error - Incident response support: psychological debriefing or peer support arrangements following major incidents - Team sizing: whether staffing levels are proportionate to the workload the team is expected to manage - Working time compliance: whether on-call and incident response obligations are creating working time breaches under the Working Time Regulations 1998

Cybersecurity team health and safety should be assessed as a specific sub-section within the broader organisational stress risk assessment — not aggregated into a general office workforce result.

4. Working Time Compliance for Tech Teams

The Working Time Regulations 1998 create specific obligations for UK employers that are routinely under-managed in AI and software companies — where extended hours, on-call obligations, and the informal expectation of availability outside contracted hours are culturally embedded.

What the Working Time Regulations require:

  • An average maximum working week of 48 hours (calculated over a 17-week reference period) — unless the employee has validly opted out
  • A minimum 11 consecutive hours of rest in every 24-hour period
  • A minimum 24 hours of rest in every seven-day period, or 48 hours in every 14-day period
  • A minimum 20 minutes of rest in any working period exceeding six hours
  • A minimum of four weeks of paid annual leave per year

Why opt-outs do not resolve the issue:

Many tech companies rely on individual opt-outs from the 48-hour maximum as the default position for all employees. Opt-outs must be individually, voluntarily, and freely signed. Requiring opt-out as a condition of employment is unlawful. An employer who cannot demonstrate that opt-outs were genuinely voluntary — rather than effectively mandatory — faces enforcement exposure. Beyond the legal position, requiring extended hours from all employees through opt-out does not eliminate the psychosocial risk of overwork — it simply removes the regulatory floor.

On-call time:

Where employees are required to be available to respond to incidents outside normal working hours, the treatment of on-call time as working time depends on the circumstances. A cybersecurity analyst who must remain at or near a fixed location during on-call hours, ready to respond immediately, is likely to have that time treated as working time for working time purposes. This has implications for rest period compliance that many tech companies have not analysed.

5. Physical Workspace and Ergonomics in Tech Offices

While remote and hybrid working means that many AI and software employees spend significant time working from home, physical office environments — including tech campuses, co-working spaces, and hot-desking arrangements — create their own health and safety obligations.

Hot-desking and dynamic workstations:

Many tech offices use hot-desking or activity-based working arrangements where employees do not have fixed workstations. This creates a specific DSE compliance challenge: individual workstation assessments are meaningless if the employee's workstation changes each day. Effective hot-desking compliance requires: - A sufficient range of desk and chair options to accommodate different user needs - Training so employees can adjust any workstation to suit them - A process for employees with specific ergonomic needs to access appropriate equipment consistently - Assessment of whether hot-desking arrangements genuinely meet the needs of all employees, including those with musculoskeletal conditions or disabilities

Acoustics and concentration:

Open-plan offices in tech companies — often designed with aesthetic rather than acoustic priorities — create sustained noise levels that contribute to cognitive fatigue and stress. While typically below the thresholds triggering the Noise at Work Regulations 2005, noise in office environments can still be assessed as a factor in the stress risk assessment's Demands dimension.

Collaborative space design:

Meeting rooms, collaboration spaces, and phone booths all create specific safety considerations around fire safety, ventilation, and safe occupancy that the general office risk assessment must address.

6. Health and Safety When Scaling Rapidly: Managing Growth Compliantly

AI and software companies scale faster than almost any other business type — and the speed of growth creates specific health and safety compliance risks that slower-growth businesses do not encounter in the same way.

The compliance gaps that rapid scaling creates:

New starters without induction: When hiring at pace, induction processes — including health and safety induction covering fire procedures, DSE arrangements, and emergency contacts — are frequently compressed or bypassed. Every new employee must receive a health and safety induction before or on their first day, regardless of how many others started the same week.

Risk assessments that have not kept pace with the business: A risk assessment produced when the company had 15 employees in one office does not remain suitable and sufficient when it has 200 employees in three offices and a distributed remote workforce. Regulation 3 of the MHSWR requires review when there has been a significant change — and the growth trajectory of many tech companies means significant changes happen constantly.

Health and safety policy that has not been updated: Section 2(3) of the HSWA requires a written health and safety policy for employers with five or more employees. The policy's organisation section names individuals by role. When those roles are held by different people, or when new roles with health and safety responsibilities are created, the policy must be updated.

Fire safety: Every new office requires a fire risk assessment under the Regulatory Reform (Fire Safety) Order 2005 — even if it is a serviced office within a shared building. The responsibility for fire safety in a technology company's occupied area does not rest entirely with the landlord or building manager.

Health and Safety Consultants who understand the pace of tech sector growth build compliance processes that scale — not bespoke solutions for each headcount milestone, but systematic management arrangements that update as the business grows.

7. Health and Safety for AI Systems and Automated Decision-Making

AI companies have a dimension of health and safety that other technology businesses do not — their products may themselves create health and safety risks for users, customers, and third parties that the business has an obligation to assess.

The emerging regulatory context:

The UK AI Safety Institute evaluates AI models for bias and unintended harm, and the Medicines and Healthcare Products Regulatory Agency issued guidance in February 2025 classifying certain digital mental health technologies as medical devices where they diagnose or treat conditions. Where an AI company's products interact with vulnerable users, make decisions affecting physical safety, or operate in safety-critical contexts, the company's health and safety obligations may extend beyond the workplace to product safety.

Internal AI use and worker health:

AI tools used internally — for code generation, task management, monitoring, and performance assessment — create their own health and safety considerations for the workers using them: - Algorithmic management systems that monitor worker activity at granular levels create documented psychosocial harm through sustained surveillance stress - Automation anxiety — fear of job displacement — is a recognised psychosocial risk requiring assessment and management - AI-generated content review roles in content moderation expose workers to harmful material, creating specific psychological trauma risks that require documented assessment and support arrangements

What employers must do: Assess the specific psychosocial risks created by AI tool use within the organisation. Document the assessment and implement controls — including transparency about monitoring, limits on algorithmic management, and psychological support for content review roles.

8. International Health and Safety for Global Tech Companies

Many AI and software companies are international by design — launching with UK and US teams simultaneously, expanding to European hubs within the first year, and managing globally distributed remote workforces from day one. This creates multi-jurisdiction health and safety compliance obligations that grow faster than the internal capability to manage them.

The jurisdictions tech companies encounter first:

Netherlands: With Amsterdam a primary European tech hub, many UK AI companies expand there early. Every Dutch employer must produce a RI&E risk assessment. From the first Dutch employee, an arbodienst (certified occupational health service) affiliation is mandatory. Psychosocial workload assessment is explicitly required under Dutch law.

Germany: Berlin and Munich are major European tech centres. DGUV regulations apply. The Gefährdungsbeurteilung must cover psychosocial hazards alongside physical risks — directly relevant to the stress and burnout risk profile of technology teams.

France: For companies establishing French teams, the DUERP is mandatory from the first employee with 40-year retention. The PAPRIPACT annual prevention programme applies from 50 employees. France's Code du numérique droit à la déconnexion (right to disconnect) legislation predates and exceeds the UK's equivalent provision — specifically relevant to tech culture.

United States: OSHA's General Duty Clause and specific standards apply. For remote-first US employees, DSE equivalent obligations apply under OSHA's General Duty Clause. State-specific requirements add further complexity.

International Health and Safety Consultants who understand both the tech sector's specific risk profile and the regulatory landscape in each expansion market provide the most effective support for AI and software companies managing international growth.

ISO 45001 provides the internationally recognised management system framework applicable across all markets — enabling consistent safety management standards as the business expands.

9. Mental Health First Aid and Support Structures in Tech Companies

Mental health first aid provision and formal support structures are increasingly important in AI and software companies — where the specific risk factors of the sector (performance pressure, always-on culture, imposter syndrome, and AI anxiety) create a documented elevated prevalence of mental health difficulties.

What employers are required to do:

Employer obligations extend to managing psychosocial risks through the formal risk assessment process described in Section 2. Mental health first aid and Employee Assistance Programmes (EAPs) are not legal requirements in isolation — but they are among the most effective controls that risk assessment findings identify.

What effective mental health support looks like in tech:

Mental health first aiders: Trained individuals (typically trained through Mental Health First Aid England's two-day course) who can provide first-line support for colleagues experiencing mental health difficulties. For a technology company with 50 or more employees, at least two trained mental health first aiders is widely regarded as a reasonable minimum.

Employee Assistance Programme: External EAP provision giving employees confidential access to counselling, financial advice, and crisis support. EAPs are widely available and cost-effective — their primary limitation is awareness and uptake, which is an employer communication responsibility.

Manager training: Research consistently identifies line manager behaviour as the most significant determinant of whether stress risk controls are effective. Managers in tech environments need training that goes beyond awareness — covering how to hold supportive conversations, how to adjust workloads, and how to access further support for team members.

Psychological safety culture: A culture in which employees can raise concerns about workload, deadlines, and mental health without fear of career consequences. This is an organisational culture matter rather than a policy matter — but it is influenced by the policies, training, and leadership behaviours that health and safety management shapes.

10. Health and Safety Audits for AI and Software Companies

Independent Health and Safety Audits are as valuable for AI and software companies as for any other sector — and the specific risk profile of the tech sector creates an audit agenda that differs materially from a manufacturing or retail business.

What a tech sector health and safety audit addresses:

DSE compliance: Are workstation assessments complete for all habitual screen users — including home workers? Are identified deficiencies acted upon? Is the assessment programme current as the workforce grows and its location changes?

Stress and psychosocial risk assessment: Does a formal assessment using the HSE Management Standards exist? Does it reflect the specific risk factors of the technology business — not a generic framework applied without sector adaptation? Are the controls identified in the assessment implemented?

Working time compliance: Are there effective processes for managing working hours, on-call obligations, and opt-out management? Are rest period entitlements being met?

Policy currency: Is the health and safety policy current, specific to the organisation, and signed by the most senior person?

International compliance: For each international location — does locally compliant documentation exist? Are regulatory obligations in each jurisdiction being met?

Management system quality: Does the organisation have the management processes — risk assessment programme, training tracking, incident investigation, competent person appointment — that the MHSWR requires?

Annual independent Health and Safety Audits generate the documented due diligence evidence that enterprise client procurement, institutional investor ESG review, and — in the event of regulatory scrutiny — the HSE requires. They also drive the continuous improvement that turns compliance from a static baseline into a systematically improving management function.

11. SMCR Governance and Health and Safety in Regulated Tech Businesses

AI and software companies operating in regulated financial services — fintechs, regtech businesses, and AI companies whose products are used in regulated contexts — face the intersection of FCA Senior Managers and Certification Regime (SMCR) governance with health and safety accountability.

How SMCR and health and safety connect:

FCA-regulated businesses must map governance responsibilities to named senior managers within their SMCR accountability maps. For businesses with people management or operational responsibilities, health and safety governance falls within the scope of those accountabilities — meaning that a Senior Manager with responsibility for operations or people carries demonstrable health and safety governance obligations alongside their FCA accountability.

What this means practically:

A CRO, COO, or CPO at a regulated fintech who is accountable for information security, people operations, or technology infrastructure within their SMCR statement of responsibilities carries an implicit health and safety governance obligation — particularly for cybersecurity team welfare (CRO), home working compliance (CPO/COO), and data centre physical safety (CTO/COO).

This intersection means that health and safety management quality in SMCR-regulated tech businesses has governance dimensions that extend beyond regulatory compliance — into individual accountability and FCA fitness and propriety considerations.

12. How Arinite Supports AI and Software Companies

Arinite is a City of London-headquartered health and safety consultancy with specific expertise in the AI and software sector — supporting named technology clients including Figma, Akamai, SUSE, and Nikon, alongside financial services clients including Bell Rock Capital and media businesses including Shutterstock and Hearst.

Arinite's technology sector services:

Competent person service: Named, CMIOSH-qualified competent person appointment under Regulation 7 — fulfilling the legal obligation with documented professional accountability.

DSE programme management: Complete DSE assessment programmes for office and home workers — including assessment tools, Health and Safety Consultants and Software for tracking and reporting, and remediation support for identified deficiencies.

Stress risk assessment: Formal psychosocial risk assessment using the HSE Management Standards — sector-adapted to address the specific risk profile of technology businesses, cybersecurity teams, and AI-intensive workflows.

Health and safety policy: Annually maintained, growth-tracking policies specific to the technology business — updated as the organisation scales.

Independent Health and Safety Audits: Annual compliance audit with tech-sector-specific agenda — DSE, psychosocial risk, working time, international compliance, and management system quality.

Health and safety training: Manager training for stress and mental health, DSE user training, fire marshal training, and induction frameworks for high-growth hiring programmes.

International compliance: International Health and Safety Consultants supporting AI and software companies expanding into Netherlands, Germany, France, the US, and 50+ other countries — producing locally compliant documentation and coordinated audit programmes.

Health and Safety Consultants and Software: Digital platforms scaling with the business — from 10 to 10,000 employees, single office to global distributed teams.

Supporting over 1,500 global businesses with a 95%+ client retention rate, Arinite delivers health and safety management for tech companies that scales as fast as the business does.

Frequently Asked Questions

Do AI and software companies need a health and safety policy?

Yes. Every employer with five or more employees must have a written health and safety policy under Section 2(3) of the Health and Safety at Work Act 1974. For technology companies scaling rapidly, the policy must be reviewed and updated frequently to reflect the changing organisation.

Are DSE assessments required for home workers in tech companies?

Yes. The Health and Safety (Display Screen Equipment) Regulations 1992 apply to all habitual screen users wherever they work. The HSE confirmed in 2025 that this includes all home and hybrid workers. Every employee in an AI or software company who uses screens for an hour or more per day — which is virtually every employee — requires a workstation assessment at every location where they regularly work.

Is burnout a health and safety issue in the UK?

Yes. Burnout is a manifestation of work-related stress, which is a recognised occupational health condition. Under the Management of Health and Safety at Work Regulations 1999, employers must assess all significant risks including psychosocial ones. Burnout risk in high-pressure tech teams requires formal assessment using the HSE Management Standards framework.

What health and safety obligations apply to cybersecurity teams?

Cybersecurity teams face specific psychosocial risks from on-call obligations, alert fatigue, and incident response pressure that require targeted risk assessment. Working time compliance for on-call arrangements must be managed under the Working Time Regulations 1998. Stress risk assessment must address the cybersecurity team's specific demand profile, not aggregate it into a general office workforce result.

What happens when a tech company opens an international office?

Every new international office creates immediate health and safety compliance obligations under the law of the host country. For a UK tech company opening in Amsterdam, Dutch RI&E and arbodienst obligations apply from the first Dutch employee. For Berlin, DGUV and Gefährdungsbeurteilung requirements apply. International Health and Safety Consultants ensure that international expansion meets local obligations from day one.

Does ISO 45001 apply to software companies?

Yes. ISO 45001 is applicable to any organisation regardless of sector, size, or the nature of its activities. For AI and software companies seeking internationally recognised management system certification — increasingly expected by enterprise clients and institutional investors — ISO 45001 provides the framework.

Taking the Next Step

Health and safety for AI and software companies is not a light obligation that office-based businesses can deprioritise. DSE compliance for every hybrid worker, formal stress risk assessment for every team, working time management for every on-call rota, and coordinated international compliance for every new market are live and enforceable requirements — with enforcement activity intensifying across all of them.

Assess your tech company's compliance: Take our Health and Safety Quiz to evaluate your position across DSE, psychosocial risk, working time, and international compliance.

Discuss your specific situation: Book a free Gap Analysis Call with an Arinite consultant to understand your obligations and identify priority actions.

Engage specialist tech sector support: Contact Arinite to learn how our Health and Safety Consultants support AI and software companies across the UK and internationally.

Arinite provides specialist Health and Safety Consultants and Health and Safety Audits services to over 1,500 global businesses including technology clients Figma, Akamai, SUSE, and Nikon, across the UK and 50+ countries. Key external resources: HSE statistics overview | HSE enforcement statistics | Management of Health and Safety at Work Regulations 1999 | Health and Safety at Work Act 1974 | OSHCR consultant register

Share this article
HEALTH & SAFETY
A

Written by

Arinite Health & Safety Consultants

Health & Safety Expert at Arinite

More Articles

Related Articles

Virtual Health and Safety Audit: How It Works and When to Use It
HEALTH & SAFETY

Virtual Health and Safety Audit: How It Works and When to Use It

June 11, 2026
23 min read
Health and Safety Advisor: UK Law, Roles, and How to Find the Right One
HEALTH & SAFETY

Health and Safety Advisor: UK Law, Roles, and How to Find the Right One

June 10, 2026
24 min read
School Fire Risk Assessment: Complete UK Guide for Schools and Education Providers
HEALTH & SAFETY

School Fire Risk Assessment: Complete UK Guide for Schools and Education Providers

June 10, 2026
19 min read
Free Resources

Health & Safety Factsheets

Download our comprehensive library of expert guides, checklists, and templates.

Browse Library
Get Professional Help

Need Expert H&S Advice?

Our qualified consultants are ready to support your specific business needs.

020 7947 9581Contact Us